This time I will discuss Leadership—the absolute prerequisite for building an effective and sustainable risk culture.

CEO commitment proves essential

Without strong leadership from the CEO, enterprise risk management will fail sooner or later (probably sooner). The reason is simple:

Embedding good risk management throughout the organization’s decision-making is hard. Hard things are not accomplished unless the CEO wants them to happen and makes them happen.

Too many bank boards and CEOs think that they can delegate enterprise risk management to the Chief Risk Officer.

This is a dangerous illusion.

CEO=CRO

In fact, the CEO is really the chief risk officer because the CEO has direct responsibilities for risk management which cannot be handed off to anyone else:

• Strategy=Risk. The CEO must understand and sign off on all significant risks that are embedded in the bank’s business strategy. The CEO owns the bank’s strategy and therefore owns the risks of that strategy.

For example, is the bank’s commercial lending business positioned to earn an attractive return on the risks being taken? Ultimately, the CEO must decide.

• Chief risk guardian. The CEO must protect the bank’s franchise from excessive or inappropriate risks that could derail its business strategies, damage its reputation, or impair its access to capital.

For example, are the bank’s operations exposed to crippling losses from fraud, business interruptions, or cyber attack? Ultimately, the CEO must make the call to reign in potentially dangerous activities.

To carry out these responsibilities, the CEO must be the driving force in laying out the bank’s risk management values and must commit and underwrite the organizational change required to live up to those values.

Ultimately, the CEO must back words with action.

No need to be Chief Risk Geek

The CEO certainly does not need to be a risk geek.

Many specialized tasks should be delegated to others, including the CRO. But the CEO needs to be fully engaged in the fundamental risk judgments that underpin the bank’s strategy and the health of its franchise.

How do we know that the CEO is on the right track to building a strong risk culture?

There are many observable indicators, some of which are:

1.The CEO has endorsed and implemented a specific risk management framework that spans the entire organization.

This framework specifies methods for identifying all significant risks; for measuring and monitoring risks; for deciding which risks are worth taking and which are not; and for judging whether the bank as a whole is taking too much (or too little) risk.

2.The CEO has provided sufficient funding and support to signal the vital importance of good risk management to the organization.

Money talks.

3.The CEO is seen to reward good risk management and punish bad risk management.

Results matter.

4.The CEO and his team are seen to apply the bank’s risk management principles to their own behavior and decisions.

Hypocrisy doesn’t sell.

5.The CEO is held to account by the board for success or failure in building a strong risk culture.

It should be apparent from this and previous blogs that building a strong risk culture is both vital and difficult.

In the course of this series, we have outlined an ideal state and no bank can reach perfection. But having a clear goal toward which steady progress is being made is the best we can do in this world. Banks which make the effort will likely outperform those which do not.

Dan Borge is the author of The Book of Risk and a consultant on strategy and risk management. He was the principal architect of the first enterprise risk management system, RAROC (Risk Adjusted Return On Capital), at Bankers Trust, where he was head of strategic planning and a senior managing director. Prior to his banking career, he was an aerospace engineer at The Boeing Company. You can also read a review of The Book of Risk here, "A Risk Management Book That Doesn't Make You Snore."